Disclaimer: This article is intended for informational purposes only and does not constitute legal advice. For specific legal determinations, please consult an attorney well-versed in Lao law. Translations of laws and regulations are reference translations by the author; the Lao-language versions are the authoritative texts.

The first challenge companies operating in Laos face when they hear "digital law" is not knowing what they need to protect. Thailand has the PDPA, Vietnam has its Personal Data Protection Decree, but Laos does not yet have a comprehensive data protection law.

That said, this does not mean there are "no regulations." Laos has three laws — the Electronic Data Protection Law, the Cybercrime Law, and the Electronic Commerce Law — which already establish legal obligations regarding the unauthorized use of personal data, cross-border data transfers, and responses to cyberattacks. When it comes to AI use as well, there are certainly situations where liability can arise within the framework of existing laws.

This article organizes Laos's digital-related laws and regulations into a checklist of 25 items. It is designed as a practical tool for executives and legal officers to review their company's data management and AI use, and to identify any compliance gaps.

This checklist consists of the following 3 categories and 25 items in total.

How to use: Review each ☐ item in order to identify any unaddressed points. For items that are difficult to assess internally, consulting a local attorney well-versed in Lao law is recommended. If you need a PDF version of the checklist, it can be downloaded via the CTA at the bottom of the page.

To understand Laos's digital regulations, it is first necessary to grasp that they are structured not as "one comprehensive law" but as "a combination of three separate laws."

Enacted in 2017, this law governs the protection of personally identifiable data processed electronically and serves as the core data protection legislation in Laos.

Key provisions:

• Definition of personal data: Electronic data that can identify an individual (name, ID number, location information, etc.)
• Collection principles: Clear statement of purpose and obtaining consent from the individual
• Storage obligations: Security management through appropriate technical and organizational measures
• Cross-border transfers: Conditions are imposed on the transfer of data outside the country
• Penalties: Provisions for administrative and criminal penalties for violations

When building data infrastructure for clients, there were quite a few local IT vendors who were unaware of this law. The law exists, but there is still a gap in practical awareness of it.

Enacted in 2015, this law categorizes cybercrimes such as unauthorized access, data tampering, and online fraud, and establishes penalties for each.

Key points for businesses to note:

• Prohibition of unauthorized access: Covers not only unauthorized intrusion into company systems, but also employees accessing data beyond their authorized permissions
• Data tampering and destruction: Criminal liability for intentional data manipulation
• Incident reporting: Obligation to report cyberattacks to the authorities
• Evidence preservation: Obligation to preserve and submit electronic evidence

For details on the realities of smartphone fraud in Laos and countermeasures, the related article provides an in-depth explanation of cybercrime law application cases.

Established in 2012, revised in 2018. Stipulates the legal validity of electronic signatures, requirements for the formation of electronic contracts, and consumer protection.

• Validity of Electronic Signatures: Electronic signatures that meet certain requirements carry the same legal effect as handwritten signatures
• Electronic Contracts: Clarifies the requirements for the formation of contracts concluded online
• Consumer Protection: Information disclosure obligations for EC businesses, return and refund rules
• Data Storage: Requirements regarding the electronic storage of transaction records

While many ASEAN member states have enacted and enforced comprehensive data protection laws, Laos has yet to establish a unified PDPA-type law. However, this does not mean that regulations are "lax."

To outline the current landscape:

The Lao Ministry of Science and Technology (MoST) is driving digital transformation, and given Laos's participation in the ASEAN Digital Economy Framework Agreement (DEFA), there is a strong likelihood that a comprehensive law will be enacted within the next few years. Establishing a minimum data governance framework at this stage represents the best preparation for future regulatory tightening.

Focusing on Laos's Electronic Data Protection Law, this article organizes the data protection items that companies should verify.

☐ Item 1: Is the purpose of personal data collection explicitly documented?

For each type of data collected, document "for what purpose" and "to what extent" it will be used. Laos's Electronic Data Protection Law requires that purposes be clearly stated, and collection based on vague justifications such as "we might use it in the future" is not permitted.

☐ Item 2: Has consent been obtained from the data subject?

Regardless of whether the data pertains to employees or customers, consent from the individual is required in principle for the collection of personal data. Records of consent obtained (when and for what scope) must also be retained.

In a Laos project, there was a client who operated without a Lao-language version of the consent form, using only English. Local staff were unable to understand the content, resulting in consent that was merely a formality — providing explanations in the local language is essential to ensuring that consent is meaningful.

☐ Item 3: Is the data collected limited to the minimum necessary?

Verify that data unnecessary for business operations — such as sensitive data including religion, ethnicity, and health information — is not being collected. This is particularly common in HR systems where "filling in all fields by default" has become standard practice.

☐ Item 4: Is a privacy policy presented at the time of data collection?

Regardless of the collection method — whether via website, app, or paper form — the privacy policy must be made accessible to the individual. Providing a Lao-language version is strongly recommended.

☐ Item 5: Have you defined where and for how long data is stored?

Clarify "where" and "until when" data is stored. If you are using cloud services, you also need to know the physical location of the data centers.

☐ Item 6: Are access permissions managed according to the principle of least privilege?

A state where "everyone can access all data" is also a risk under cybercrime law. Set access permissions by department and job title, and conduct regular audits.

☐ Item 7: Have you implemented data encryption and security management measures?

Both encryption at rest and encryption in transit are required. In particular, since some areas within Laos have unstable internet environments, ensuring the security of communication channels is critical.

☐ Item 8: Are you aware of whether personal data is being transferred across borders?

Simply using SaaS tools (Google Workspace, Salesforce, etc.) results in data being transferred outside the country. Conduct an inventory of where data is stored for all services your organization uses.

☐ Item 9: Have you confirmed the level of data protection in the countries/regions to which data is transferred?

Laos's Electronic Data Protection Law imposes conditions on cross-border transfers. Verify whether the destination country has an adequate data protection framework, and whether contractual safeguards (equivalent to Standard Contractual Clauses) are in place.

☐ Item 10: Have you established rules for data sharing among group companies?

Data sharing with a parent company (in Japan, Thailand, etc.) also constitutes a cross-border transfer. The assumption that "it's fine because it's within the group" is incorrect. Execute data sharing agreements between group companies and clearly establish the legal basis for each transfer.

Five years ago, while sharing confidential information on a project in Laos, we were flagged for not specifying the scope of sharing in the contract, and had to hastily draft an additional data processing agreement. Reactive measures cost both time and trust.

There are no regulations specific to AI in Laos. However, legal liability related to AI use arises under the framework of three existing laws and general contract and labor law.

☐ Item 11: Have you identified the types of data processed by your AI systems?

When AI processes personal data, it falls under the scope of the Electronic Data Protection Law. Conduct an inventory of the types and volume of data handled by AI, including chatbots, recruitment screening, and customer analytics.

☐ Item 12: Have you incorporated human oversight into your AI decision-making processes?

While Laos does not have a "high-risk AI" classification equivalent to the EU AI Act, it is strongly recommended to include human review in AI-driven decisions that have a significant impact on individuals, such as personnel evaluations, credit assessments, and medical diagnoses. This not only reduces the risk of administrative guidance but also offers practical benefits in ensuring decision transparency.

For a comparison with the EU AI Act and the latest trends in global AI governance, see the related article on AI governance.

☐ Item 13: Do your contracts with AI vendors include data processing clauses?

When using external AI services (such as the ChatGPT API or Claude API), verify through your contracts how input data is handled on the vendor's side. A particularly important point to confirm is whether the data will be used for model training.

☐ Item 14: Have you clarified the attribution of copyright and intellectual property rights for AI-generated content?

Laos copyright law does not clearly stipulate the attribution of rights for AI-generated works. Establish internal usage rules, including how AI-generated works are to be credited and what disclosure policies apply when publishing them externally.

☐ Item 15: Is there a fact-checking system in place for AI output?

Submitting AI-generated information as-is to customers or government agencies creates liability risks due to potential misinformation. Particularly when using AI output in legal documents or official applications, a review process by qualified professionals should be mandatory.

☐ Item 16: Have you defined which AI tools employees are permitted to use for work purposes?

Unauthorized use of AI tools (shadow AI) can be a cause of unintended data leakage. Create a list of approved tools and establish rules for their use (including defining what information must not be entered).

☐ Item 17: Have you implemented training and education on AI usage?

Having a policy alone is not sufficient. For local staff in Laos in particular, it is necessary to prepare training materials in the Lao language so that they can understand the risks of AI usage and how to use it appropriately.

☐ Item 18: Have you established a reporting flow for incidents arising from AI usage?

Define an escalation flow to address AI-specific incidents, such as damages caused by AI misjudgments or data leakage via AI. It is practical to integrate this with the existing cybersecurity incident reporting flow.

For technical countermeasures related to AI security, supplementary information is provided in the Laos AI Security Checklist.

Focusing on cybercrime laws, we examine corporate security frameworks.

☐ Item 19: Are you aware of the reporting destinations and deadlines in the event of a cyber incident?

The Cybercrime Law mandates reporting to authorities when an incident occurs. Confirm in advance the reporting destinations (such as LaoCERT under the Ministry of Science and Technology) and reporting procedures. It is too late to start looking into this after an incident has already occurred.

☐ Item 20: Have you developed an Incident Response Plan (IRP) and conducted regular drills?

In addition to developing a plan, conduct drills (tabletop exercises) at least once a year. In Laos's telecommunications environment, emergency communication methods with headquarters may differ from normal channels — include satellite communications and offline communication methods in the plan as well.

☐ Item 21: Have you established log retention periods and preservation procedures?

The Cybercrime Law requires the preservation of electronic evidence. Retain system logs and access logs for a minimum of one year, and implement tamper-prevention measures. Ensure you are prepared to respond to submission requests from investigative authorities.

☐ Item 22: Have you implemented a firewall and intrusion detection/prevention system (IDS/IPS)?

In addition to basic perimeter defense, a design that accounts for the network characteristics specific to Laos (unstable bandwidth, diversity of ISPs) is necessary. There may be significant differences in communication quality between offices in Vientiane and regional locations.

☐ Item 23: Are software vulnerability patches applied on a regular basis?

Patch management is the most fundamental of basics; however, the reality at local offices in Laos is that updates often cannot be performed due to insufficient bandwidth. Procedures for offline updates should also be prepared.

☐ Item 24: Have you implemented a security awareness program for employees?

A comprehensive program—including phishing email drills, password management training, and physical security measures (such as restrictions on bringing in USB drives)—should be conducted at least twice a year.

☐ Item 25: Have you developed a backup and disaster recovery (DR) plan?

Data backups should be stored at multiple locations both within and outside the country. As Laos is also subject to natural disaster risks (such as flooding), physical distribution of storage should be taken into consideration. The Recovery Time Objective (RTO) and Recovery Point Objective (RPO) should be clearly defined.

Laos's legal development is not "lagging behind" but rather in a phase of "catching up." DEFA is the accelerator driving that process.

DEFA, signed by all 10 ASEAN member states in 2025, is a framework that harmonizes rules for digital trade and data flows within the region. It covers the following areas:

• Facilitation of cross-border data flows
• Interoperability of digital payments
• Cybersecurity cooperation
• Common principles for AI governance
• Consumer protection

Although Laos has a relatively small digital economy within ASEAN, its participation in DEFA will subject it to external pressure — along with support — to accelerate the development of its domestic legal framework.

DEFA is founded on the principle of "trust-based data distribution" and requires member countries to meet a minimum standard of data protection. This effectively serves as a signal urging Laos to enact a comprehensive PDPA-style legislation.

What companies should do now is clear: build a data governance framework that anticipates the standards required by DEFA. Specifically:

1. Conduct data mapping (what data exists, where it resides, and how it flows)
2. Establish data processing agreements (between vendors and group companies)
3. Localize privacy policies into multiple languages (Lao and English)
4. Build an incident response framework

These four measures are fundamental requirements that will be demanded regardless of what legislation is enacted in the future, meaning the investment will never go to waste.

Many companies interpret the absence of a comprehensive data protection law as meaning there are "no regulations." However, the Electronic Data Protection Law and the Cybercrime Law unquestionably exist, and violations carry penalties. Furthermore, law enforcement in Laos has a personal and discretionary dimension, meaning that claiming "I was unaware of the law" will not hold up when problems arise.

In a case the author personally witnessed, a foreign-affiliated company had transferred a customer database to servers outside Laos without authorization. When authorities launched an investigation, the company argued that it had "heard Laos had no data protection law," but only upon being shown the specific provisions of the Electronic Data Protection Law did it grasp the seriousness of the situation. The company ultimately received a corrective order and was fined.

In Laos, there are situations where ministerial administrative guidance (circulars and guidelines) carries substantive regulatory force, not just the text of legislation. The Ministry of Science and Technology (ກະຊວງເຕັກໂນໂລຊີ ແລະ ການສື່ສານ) is the competent authority for digital policy, and guidance may be issued even on matters not explicitly stipulated in law.

Countermeasures include:

• Regularly monitoring official announcements from MoST
• Obtaining up-to-date information through retainer agreements with local law firms
• Leveraging networks of industry associations (such as the Lao National Chamber of Commerce and Industry)

Many foreign companies operating in Laos share data with local partners (joint venture partners, agents, subcontractors). Typical blind spots in this area:

• Management of data processing subcontractors: Whether partners have implemented appropriate security measures is often unverified
• Data return and deletion upon contract termination: Many contracts fail to explicitly address this
• Restrictions on sub-processing: Addressing cases where partners further transfer data to third parties
• Audit rights: Securing the right to verify partners' data management practices

Laos partially addresses personal data protection through its Electronic Data Protection Law (2017), but has yet to enact comprehensive legislation comparable to the GDPR or Thailand's PDPA. However, given its participation in the ASEAN DEFA, there is a possibility that comprehensive legislation will be enacted within the next few years. For the time being, compliance with the existing three laws represents the minimum baseline.

At present, there is no notification or licensing system specifically dedicated to AI use. However, where AI processes personal data, the Electronic Data Protection Act applies. Additionally, in regulated industries such as finance, healthcare, and education, sector-specific regulations may extend to AI use as well. It is recommended to confirm requirements in advance with the relevant regulatory authority for each sector.

The Electronic Data Protection Act imposes conditions on cross-border transfers, but the specific procedures (equivalents to adequacy decisions and SCCs) are not prescribed in as much detail as under the GDPR. In practice, the minimum measures to implement include verifying the level of data protection at the destination, executing a data processing agreement, and notifying the data subjects. It should be noted that the use of cloud services also constitutes a cross-border transfer.

The penalties vary depending on the applicable law. The Cybercrime Law stipulates imprisonment (up to 5 years) and fines for unauthorized access and data tampering. The Electronic Data Protection Law focuses primarily on administrative penalties (corrective orders, business suspension orders, etc.). While the monetary penalties themselves are not as high as those under the GDPR (4% of revenue), the more serious practical risks are the revocation of business licenses in Laos and the deterioration of relationships with authorities.

Once you have completed the 25-item checklist, proceed with actions in the following order of priority.

1. Priority Classification of Unaddressed Items

2. Consulting Specialists

Engage a lawyer well-versed in Lao law to assess the risks of unaddressed items and develop remediation measures. Vientiane is home to branches of international law firms, including some that offer services in English and Japanese.

3. Deepen Your Knowledge with Related Articles

• Overview of AI Governance — A comparison of global AI regulations, including the EU AI Act
• Laos AI Security Checklist — Details on technical security measures
• Laos Smartphone Fraud Prevention Guide — Real-world examples and countermeasures under cybercrime law

4. Conducting Regular Reviews

Lao laws and regulations are still evolving. Review this checklist once per quarter to reflect new legislation, ministerial notifications, and developments related to DEFA.